Microsoft Windows So Insecure That Even Fonts Are Remotely Exploitable

Dr. Roy Schestowitz

2015-06-25 10:28:47 UTC
Modified: 2015-06-25 10:28:47 UTC

Turning the alphabet into a security nightmare

Alphabet

Summary: Windows userbase is once again under serious threat and high risk because something as simple as fonts (rendering of text/pixels on the screen) isn't done securely in Windows

THERE IS plenty evidence which shows that Microsoft is not interested in security, maybe because there are commitments to the NSA (the motivations are hard to reason about, but Microsoft's reluctant to patch known holes is easily demonstrable).

Now we are being reminded that even fonts are a security risk in Windows. Yes, Microsoft continues to put users under remote execution threat because of fonts. As the British media put it:

Get patching: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defences.

The accomplished offensive security researcher (@j00ru) presented findings at the Recon security conference this month under the title One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation [PDF ] without much fanfare and published a video demonstration of the exploit overnight.

As one commenter (found by Robert Pogson) put it, "Adobe (and I guess MS as well) put font handling in the kernel from NT 4.0 to gain speed at the expense of having privileged-based protection, and against Dave Cutler's original micro kernel plans. What could possibly go wrong?"

Proprietary software is so bad that even fonts are a huge risk. This isn't the first such incident. It serves also as a reminder for GNU/Linux users because some users continues to install proprietary software from Adobe, despite Free/libre alternatives being equally potent.

To quote the part which shows why Windows makes things even worse: "The nastiest vulnerabilities for 32-bit (CVE-2015-3052) and 64-bit (CVE-2015-0093) systems exist in the Adobe Type Manager Font Driver (ATMFD.dll) module which has supported Type 1 and Type 2 fonts in the Windows kernel since Windows NT 4.0." ⬆

"Our products just aren't engineered for security."

--Brian Valentine, Microsoft executive

Recent Techrights' Posts

FSFE (Ja, Das Gulag Deutschland) Has Lost Its Tongue: Articles/month
Ian Jackson & Debian reject mediation: Reprinted with permission from disguised.work
How to get selected for Outreachy internships: Reprinted with permission from disguised.work
Red Hat Corporate Communications is "Red" Now: Also notice they offer just two options: MICROSOFT or... MICROSOFT!
Links 26/04/2024: XBox Sales Have Collapsed, Facebook's Shares Collapse Too: Links for the day
Almost 2,700 New Posts Since Upgrading to Static Site 7 Months Ago, Still Getting More Productive Over Time: We've come a long way since last autumn
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Friday, April 26, 2024: IRC logs for Friday, April 26, 2024
Overpaid lawyer & Debian miss WIPO deadline: Reprinted with permission from disguised.work
Brian Gupta & Debian: WIPO claim botched, suspended: Reprinted with permission from disguised.work
Microsoft's XBox is Dying (For Second Year in a Row Over 30% Drop in Hardware Sales): they boast about fake numbers or very deliberately misleading numbers that represent two companies, not one
[Meme] Granting a Million Monopolies in Europe (to Non-European Companies) at Europe's Expense: Financialization of the EPO
Salary Adjustment Procedure at the EPO Challenged: the EPO must properly compensate staff in order to attract and retain suitably skilled examiners
Links 26/04/2024: Surveillance Abundant, Restoring Net Neutrality Rules (US): Links for the day
Gemini Links 26/04/2024: uConsole and EXWM and stdu 1.0.0: Links for the day
Albanian women, Brazilian women & Debian Outreachy racism under Chris Lamb: Reprinted with permission from disguised.work
Microsoft-Funded 'News' Site: XBox Hardware Revenue Declined by 31%: Ignore the ludicrous media spin
Mark Shuttleworth, Elio Qoshi & Debian/Ubuntu underage girls: Reprinted with permission from disguised.work
Karen Sandler, Outreachy & Debian Money in Albania: Reprinted with permission from disguised.work
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Thursday, April 25, 2024: IRC logs for Thursday, April 25, 2024
Links 26/04/2024: Facebook Collapses, Kangaroo Courts for Patents, BlizzCon Canceled Under Microsoft: Links for the day
Gemini Links 26/04/2024: Music, Philosophy, and Socialising: Links for the day
Microsoft Claims "Goodwill" Is an Asset Valued at $119,163,000,000, Cash Decreased From $34,704,000,000 to $19,634,000,000 and Total Liabilities Grew to $231,123,000,000: Earnings Release FY24 Q3
More Microsoft Cuts: Events Canceled, Real Sales Down Sharply: So they will call (or rebrand) everything "AI" or "Azure" or "cloud" while adding revenues from Blizzard to pretend something is growing
CISA Has a Microsoft Conflict of Interest Problem (CISA Cannot Achieve Its Goals, It Protects the Worst Culprit): people from Microsoft "speaking for" "Open Source" and for "security"
Links 25/04/2024: South Korean Military to Ban iPhone, Armenian Remembrance Day: Links for the day
Gemini Links 25/04/2024: SFTP, VoIP, Streaming, Full-Content Web Feeds, and Gemini Thoughts: Links for the day
Audiocasts/Shows: FLOSS Weekly and mintCast: the latest pair of episodes
[Meme] Arvind Krishna's Business Machines: He is harming Red Hat in a number of ways (he doesn't understand it) and Fedora users are running out of patience (many volunteers quit years ago)
[Video] Debian's Newfound Love of Censorship Has Become a Threat to the Entire Internet: SPI/Debian might end up with rotten tomatoes in the face
Joerg (Ganneff) Jaspert, Dalbergschule Fulda & Debian Death threats: Reprinted with permission from disguised.work
Amber Heard, Junior Female Developers & Debian Embezzlement: Reprinted with permission from disguised.work
[Video] Time to Acknowledge Debian Has a Real Problem and This Problem Needs to be Solved: it would make sense to try to resolve conflicts and issues, not exacerbate these
Daniel Pocock elected on ANZAC Day and anniversary of Easter Rising (FSFE Fellowship): Reprinted with permission from Daniel Pocock
[Video] IBM's Poor Results Reinforce the Idea of Mass Layoffs on the Way (Just Like at Microsoft): it seems likely Red Hat layoffs are in the making
Ulrike Uhlig & Debian, the $200,000 woman who quit: Reprinted with permission from disguised.work
IRC Proceedings: Wednesday, April 24, 2024: IRC logs for Wednesday, April 24, 2024
Over at Tux Machines...: GNU/Linux news for the past day